ledger

by decrypt.co

'Stop Using Dapps': Ledger Library 'Compromised' With Wallet Drainer - Decrypt

Your Web3 Gaming Power-Up Enjoy exclusive benefits with the GG Membership Pass

Decrypt’s Art, Fashion, and Entertainment Hub. Discover SCENE

Hardware wallet manufacturer Ledger has warned users not to connect to decentralized applications (dapps), after a malicious version of the Ledger Connect Kit was identified.

A spokesperson for Ledger told Decrypt that, “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment.” The spokesperson added that Ledger devices and its Ledger Live app were not compromised, and that the firm “will keep users informed as the situation evolves.”

Software wallet developer MetaMask also warned users to "stop using dapps" as news of the attack broke.

AD

AD

The compromised version of the Connect Kit, a library that enables the Ledger hardware wallet to connect with dapps, was first identified by developers posting on Twitter.

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨 A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and… — Ledger (@Ledger) December 14, 2023

Web3 security firm BlockAid reported that, "The attacker injected a wallet draining payload" into the ledgerconnect kit's NPM package, adding that dapps using versions 1.1.4 and above of Ledger's connect-kit, including Sushi.com and Hey.xyz, were affected.

🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨

The attacker injected a wallet draining payload into the popular NPM package.

This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T — Blockaid (@blockaid_) December 14, 2023

SushiSwap CTO Matthew Lilley castigated Ledger for a “chain of terrible blunders,” explaining that, “a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.”

AD

AD

He added that users should avoid using any dapps “until their teams confirm that they have mitigated the attack.”

Source